The previous blog in this series looked at how to define your important business services. In this blog, we will consider how you can determine the impact tolerance for your important business services.
We will consider:
- What makes up an impact tolerance
- Setting a time-based impact tolerance
- Data to support your impact tolerance
- Factors not to consider when setting impact tolerance
- Backing up your impact tolerance
What makes up an impact tolerance?
In the last blog, we identified your importance business services based on whether, if they were disrupted, there would be a material adverse impact on your customers or external stakeholders.
While the consumer harm from disruption is the minimum we would expect when considering your impact tolerances, you may also include other factors – either to satisfy a regulator or to acknowledge other impacts disruption to your operations would have on the markets you operate in. In the UK financial services sector for example, assessment may include market integrity, safety and soundness, and financial stability of the market.
The first question to ask is, who do you serve? Different customers or demographics may be impacted differently during disruption of one of your important business services. It may be appropriate to segment your customer base when you are assessing your impact tolerance. In particular, you should consider whether you serve vulnerable customer groups, or other demographics who would likely experience intolerable harm sooner than other groups. We recommend reviewing any product design documents or marketing plans that might provide insight into who the target market is for those products.
Data to support your impact tolerance
You should consider existing data that might support the setting of impact tolerance:
- Complaints data to identify potential impacts to customers from isolated issues or incidents
- Historical incident data related to disruption of the important business service, and extrapolating the actual impacts over a longer timeframe
- Risk assessments, business impact analysis or scenario analysis that articulate a range of impacts, including those on external stakeholders
- Learnings that can be gleaned from reported incidents in your industry
And let’s not forget one of the best sources of information: your customers! For important business services that serve other market participants, they may be a key source of information when assessing potential effect on financial stability and other systemic impacts.
Setting a time-based impact tolerance
While there is no single defined approach, the following are two potential approaches to analyzing and refining your impact tolerance for each of your important business services:
- Starting with a very low timeframe (where harm is tolerable) and incrementally increasing it until you reach the point at which intolerable harm or other impacts are likely to be experienced
- Starting with an extremely high timeframe (where intolerable harm is inevitable) and reducing it until you reach a point where harm or other impacts start becoming tolerable
Following both approaches for each important business service may be useful in order to avoid anchoring and other cognitive bias. If they don’t meet in the middle, it provides you an initial range for further refinement.
You should consider the earliest affected group of customers when setting this tolerance. In our previous blog we mentioned potential harms such as the inability to purchase groceries, economic loss incurred by business customers that could not be recovered, or emotional distress. You will need to determine the types of impacts that would cause harm to your customers. At what point would you no longer be able to restore your customers to the position they were in? Keep in mind that the harm needs to be intolerable, not just an inconvenience.
Factors not to consider when setting impact tolerance
The following factors should not be considered when assessing tolerance levels. These may be useful tips during stakeholder engagement activities to ensure discussions don’t deviate into areas that should not influence tolerance levels:
The likelihood of disruption
Setting an impact tolerance is based on the assumption that disruption will occur, even if that likelihood is small.
The effect or cost of business continuity plans or other responses
These need to be considered after you have already set your impact tolerance. The cost to restore disruption or prepare contingencies has no bearing on the effect of the disruption.
Impact to the organization
Financial or other impacts to the organization are not factored into the assessment of impact tolerance – unless it starts affecting the financial soundness of the organization such that it will no longer be able to provide its services to customers.
Justifying your impact tolerance
For each important business service, you should describe and document the types of impacts or harms you are assessing the impact tolerance against, and why those impacts or harms become intolerable at the impact tolerance you have set. This is particularly important for regulated entities – especially if a disruption occurs that would put them under scrutiny.
A basic litmus test is to consider whether your customers or market participants would agree with the impact tolerance if you shared it with them.
About this series
We’ve now identified your important business services and set impact tolerances. In the next blog we will review how you can map your important business services in order to gain insights into the resources required to provide them and their interdependencies:
- What is operational resilience?
- What are your important business services?
- Designing your impact tolerances [this blog]
- Mapping your important business services
- Design and running of a scenario
- Identification of weaknesses and actions in your operational resilience
- What reporting do management want to see?
- Designing a good self-assessment process
Next steps for your organization
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
Note on regulation and terminology
While this series primarily discusses regulated entities, the guidance can apply to any organization seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry.
We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. There are no formal definitions yet available in the US.
We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide.